The Pwnie Awards will accept nominations for bugs disclosed over the
last year, from July 1, 2014 to June 30, 2015.

Nominations will be accepted until June 30. The top five nominees in
each category will be announced on the website and the judges will
gather at an undisclosed location to vote on the winners. The judges
are of course disqualified from winning any Pwnie awards.

Pwnie for Best Server-Side Bug

Awarded to the person who discovered or exploited the most
technically sophisticated and interesting server-side bug. This
includes any software that is accessible remotely without using
user interaction.

SAP products make use of a proprietary implementation of the
Lempel-Ziv-Thomas (LZC) adaptive dictionary compression
algorithm and the Lempel-Ziv-Huffman (LZH) compression
algorithm. These compression algorithms are used across
several SAP products and programs. Vulnerabilities were found
in the decompression routines that could be triggered in
different scenarios, and could lead to execution of arbitrary
code and denial of service conditions.
Basically a single bug that pwns almost ALL SAP products and
services.

Netanel took the most popular e-commerce platform in the
world, holding 30% of the web's online shops,
and ripped
them a new one, with
a vulnerability
in Magento core, affecting default installations (or
practically any installation) since 2009.
The exploit itself is built on a cascade of vulnerabilities in
Magento's reflection and dynamic code loading mechanisms (all
discovered by Rubin), and concludes with the cunningly
innovative detection dodging technique of running code using
PHP's 'phar://' stream wrapper.
The exploit, allowing silent unauthenticated remote code
execution on hundreds of thousands of online shops, was
dubbed "Shoplift", and
awarded the maximum allowed bounty per the eBay (Magento
owners) program - 20,000 USD, wreaking havoc in the e-commerce
admin world.
Recent Magento compromises may be attributed
to these
findings.
On top of it all, the public disclosure and exploit were
released on the day of Magento's annual developer conference.

Pwnie for Best Client-Side Bug

Awarded to the person who discovered or exploited the most
technically sophisticated and interesting client-side bug.

The "BLEND" opcode font bug was in a shared code base used
both in Adobe Reader font renderer and Microsoft Windows
Kernel (32-bit) font renderer. It allowed both to get code
execution in Adobe Reader using a font embedded in a PDF file,
and to later escape the sandbox and get SYSTEM rights by
exploiting the exact same bug in the shared codebase in the
Windows Kernel (ATMFD.DLL driver, part of Windows GDI).

The CVE-2014-4114 (a.k.a. the "Sandworm") zero-day attack was
first
disclosed by iSIGHT Partners in October 2014, it's
believed to be used in Russian cyber-espionage campaigns
targeting many sensitive organizations including the NATO. For
the technical part, the most interesting point is that this is
a logic bug (better considering it's a "feature", yeah!) in
the "Packager" OLE object, which allows Office to perform
context menu actions on embedded file
object automatically. Since
it's a logic bug, the exploit runs quite smoothly and
reliably, even with effective exploitation mitigation tools
such as EMET installed. All these have made the vulnerability
become the premier choice for later exploit kits and cyber
attacks that target Office. Another interesting point is that
Microsoft failed to patch the bug (though they did stop the
original exploit samples) in its initial fix
MS14-060, the vulnerability was finally resolved in the
2nd fix MS14-064 with a new ID CVE-2014-6352 assigned.

Tavis' ESET shadow stack vulnerability is a backhanded slap to
the Slovakian AV vendor, highlighting the massive pwnage
possible by exploiting security solutions. Not only did Tavis
disclosed a remote code execution vulnerability 4 days after
reporting, this one is in the signature engine, available in
practically any ESET product, has a thousand remote vectors
(email/network/usb/web), is cross-platform and OS independent,
AND he released a CUSTOMIZABLE WORKING EXPLOIT with a makefile
and worm payload. He let them have it. The vuln is pretty
cool, too, manipulating the real ESP via a shadow emulated
stack pointer. A truly epic one.

W3 Total Cache v0.9.4 is vulnerable to a critical Cross-Site
Request Forgery issue. It occurs because of the invalidation
of the CSRF token "_wpnonce". This CSRF issue can be used to
perform many actions, but the most significant action that has
the biggest impact on users is redirecting users to malicious
websites. This can be happened by using the feature of specify
particular user-agents to be redirected to mobile site. By
crafting an exploit that forces the victim to change the
policy feature's policy to redirect every user who visit the
victim's website to be redirected to a specific website that
is specified by the attacker. This can be done by adding all
the common keywords that is used on user-agents.

Pwnie for Best Privilege Escalation Bug

Awarded to the person who discovered or exploited the most technically
sophisticated and interesting privilege escalation vulnerability.
These vulnerabilities can include
local operating system privilege escalations, operating system
sandbox escapes, and virtual machine guest breakout vulnerabilities.

Mark Seaborn and the little known "Thomas Dullien" bring us
memory (DRAM) bit flips after repeated memory access causes
electrical charges to cross DRAM cells. Working Linux exploits
were produced to gain userland to kernel privs, and other OSes
are suspected to work too. Vulnerable machine count and fix
plan is still under evaluation.

KeenTeam has released a root privilege escalation exploit
called pingpongroot, which roots Galaxy S6 and more coming
soon. It exploits a use-after-free Linux kernel bug triggered
via two connections over a ping socket. The exploit works on
Android devices >= 4.3, including the latest 64bit Android
devices and bypasses PXN kernel isolation. This work is being
presented at Black Hat USA 2015 by Keen team member Wen Xu.

UEFI SMM Privilege Escalation

Credit: Corey Kallenberg

Firmware update code in the open source UEFI reference
implementation was identified as containing several
vulnerabilities last year. Successful exploitation resulted in
the ability for a privileged ring 3 process to stage a payload
in the context of the firmware and then invoke and exploit the
vulnerable UEFI firmware update code. This userland (ring 3)
to firmware/SMM ("ring -2") privilege escalation vulnerability
is present on the majority of PC OEMs, affecting over 500+
*models* from HP alone. Other vendors have also issued patches
for dozens of their models, and because the UEFI reference
implementation is used as the starting point by many OEMs,
many other vendors are known to be vulnerable that will
probably never acknowledge it, or release patches. Work by
Corey Kallenberg, Xeno Kovah, John Butterworth and Sam
Cornwell.

This win32k bug, still unpatched, resides in the TrueType Font
code shipped with win8.1. Details regarding the exploitation
technique and a high abstracted description of the bug were
presented at recon this year, and the exploit was used to win
at pwn2own 2015.

The "BLEND" opcode font bug was in a shared code base used
both in Adobe Reader font renderer and Microsoft Windows
Kernel (32-bit) font renderer. It allowed both to get code
execution in Adobe Reader using a font embedded in a PDF file,
and to later escape the sandbox and get SYSTEM rights by
exploiting the exact same bug in the shared codebase in the
Windows Kernel (ATMFD.DLL driver, part of Windows GDI).

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and
innovative research in the form of a paper, presentation, tool or
even a mailing list post.

ret2dir
is a new kernel exploitation technique that uncovered how
fundamental OS design practices and implementation decisions
can significantly weaken the effectiveness of
state-of-the-art kernel protection mechanisms.

Return-to-user (ret2usr) attacks are the de-facto kernel
exploitation technique in commodity OSes. In a ret2usr
attack, kernel code or data pointers are overwritten with
user-space addresses after exploiting certain memory
corruption vulnerabilities in kernel code. This allows
attackers to execute shellcode with kernel rights by
hijacking a privileged control path and redirecting it to
user space memory, easily circumventing protections like
kernel ASLR and NX. In essence, ret2usr attacks take
advantage of the weak separation of the kernel context from
user space (i.e., kernel code and data are inaccessible from
code running in user mode, but the kernel has complete and
unrestricted access to the whole address space, including
user code and data), as for performance reasons the kernel
is typically mapped into the address space of every running
process. In response to such attacks, several
kernel-hardening approaches have been proposed to enforce a
more strict address space separation, by preventing
arbitrary control flow transfers and data accesses from
kernel to user space. Intel and ARM recently introduced
hardware support for this purpose in the form of the SMEP,
SMAP, and PXN processor features.

In their work, Kemerlis et al.
showed
that although
mechanisms like the above prevent the explicit sharing of
the virtual address space among user processes and the
kernel, conditions of implicit sharing still exist due to
fundamental OS design choices that trade stronger isolation
for performance. They demonstrated how implicit data sharing
can be leveraged for the complete circumvention of software
and hardware kernel isolation protections, by introducing a
new kernel exploitation technique, dubbed
return-to-direct-mapped memory (ret2dir). ret2dir bypasses
existing ret2usr protections, such as PaX's KERNEXEC and
UDEREF, Intel's SMEP and SMAP, as well as ARM's PXN, by
taking advantage of the kernel's direct-mapped physical
memory region. They also presented techniques for
constructing ret2dir exploits against x86, x86-64, AArch32,
and AArch64 Linux targets that bypass all tested protection
mechanisms (KERNEXEC, UDEREF, SMEP, SMAP, and PXN). Finally,
to mitigate ret2dir attacks, they also discussed the design
and implementation of an eXclusive Page Frame Ownership
(XPFO) scheme for the Linux kernel that prevents the
implicit sharing of physical memory pages.

Modern Platform-Supported Rootkits

Credit: Rodrigo Branco and Gabriel Barbosa

The
presentation is innovative because it demonstrated the
dangers of composed assumptions in Modern Computing
Environment. The presenters uncovered lots of hidden
functionalities in modern Intel architecture to prove their
points.
In the materials, they also released new techniques that
makes it impossible for software to defend itself due to the
decisions of the hardware and how to avoid such confusions
in the future.
They unveiled new ways for malware to protect themselves,
splitting functionalities and ways to abuse platform
capabilities to hook system properties.
To finalize, they also expanded current understanding of
computer caches to a new level, using software-only ways to
create cache async and bypassing forensic tools (with
demonstrable proof that previous research lacked).

Threatbutt Advanced Enterprise Platform

Credit: ThreatButt

The leading
paper on threat intelligence and advanced cyber
detection of cyber threaty threats.

In the summer of 2014, Microsoft silently introduced two new
exploit mitigations into Internet Explorer with the goal of
disrupting the threat landscape. These mitigations increase
the complexity of successfully exploiting a use-after-free
vulnerability. June's patch (MS14-035) introduced a separate
heap, called Isolated Heap, which handles most of the DOM and
supporting objects. July's patch (MS14-037) introduced a new
strategy called MemoryProtection for freeing memory on the
heap. This talk covers the evolution of the Isolated Heap and
MemoryProtection mitigations, examines how they operate, and
studies their weaknesses. It outlines techniques and steps an
attacker must take to attack these mitigations to gain code
execution on use-after-free vulnerabilities where possible. It
describes how an attacker can use MemoryProtection as an
oracle to determine the address at which a module will be
loaded to bypass ASLR. Finally, additional recommended
defenses are laid out to further harden Internet Explorer from
these new attack vectors.

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

Credit: David Adrian et al.

This paper introduces the Logjam attack, a vulnerability
that allows a man-in-the-middle attacker to downgrade TLS
connections to 512-bit export-grade Diffie-Hellman and
recover the session keys.
It then goes on to make a convincing case that the NSA is
already doing this for 1024-bit Diffie-Hellman. Although
this would require an enormous investment in computing power
(perhaps the biggest secret crypto project since WW II), it
would allow them to passively eavesdrop on about half of
encrypted VPN and SSH traffic. This explanation precisely
fits the crypto breaks described in the Snowden leaks.
This paper is a landmark result, in that it uncovers a major
blindspot in the relation between crypto theory and security
practice, introduces a novel TLS break that is practical to
exploit today, and solves a major open question about
government mass surveillance capabilities.

Pwnie for Lamest Vendor Response

Awarded to the vendor who mishandled a security
vulnerability most spectacularly.

The bluecoats are coming! The bluecoats are coming! ... for your talk.

BlueCoat, the web proxy hardware of choice for silently
intercepting and blocking SSL traffic, proved itself also
quite capable at silently intercepting and blocking security
research. Raphaël Rigo was to present his research on the
internals of BlueCoat's ProxySG operating system at SyScan
this year, but
BlueCoat blocked
it. Well-known CISOs became enraged and refused spending
their budget
on them while security researchers on Twitter
reacted more diplomatically.

Seagate NAS RCE

Credit: Seagate

OJ Reeves found a multi-stage RCE vulnerability in Seagate NAS
devices. That was the fun part, next came the
actual work: notifying and managing disclosure with
the vendor. Not surprisingly, it took real
work. After the initial 100 days was close to running out,
complaining on Twitter actually got someone to put him in
contact with someone at Seagate who was interested in
helping. OJ gave them another 30 days before publishing his
advisory.

Seagate's response was to
immediately downplay
the issue to journalists and make sure that no messy
"facts" got in the way of their reporting of the
vulnerability and demonstrate just how proactive they are about
security.

Samsung Swift Keyboard MITM RCE

Credit: Samsung

NowSecure's Ryan Welton discovered that Samsung's
pre-installed Swift keyboard had a itty-bitty,
remote-code-execution-as-user-system
vulnerability. Samsung
asked for 1 year to fix it, and then 3 more months. Just for
good measure, Ryan delayed disclosure by yet another 3 months.
Hopefully Samsung is working on patching the 600M vulnerable
devices all running carrier-dependent firmware images. In the
meantime, users should disable or uninstall the pre-installed
Swift keyboard. Oh wait, they can't. Security-conscious users
should take precautions such as: not connecting to untrusted
wifi networks or carrier cellular networks, disabling WiFi and
cellular data, or just not using Samsung devices.

Pwnie for Most Overhyped Bug

Awarded to the person who discovered a bug resulting in the most
hype on the Internets and in the traditional media. Extra points
for bugs that turn out to be impossible to exploit in practice.

Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And
what use would the Internet be if it wasn't there to document this FAIL for
all time? This award is to honor a person or company's spectacularly epic
FAIL.

Oh, Please... Man!

Credit: U.S. Office of Personnel Management

Remember when you applied for that security clearance and you
told a federal employee all the vile things you’ve ever done?
Good news, now everyone knows. Wait that might not be good
news. Regardless, the OPM let you and everyone else down. So
much so, that the USA government might actually be pulling
covert agents out of foreign countries. USA #1 (in awful federal
data breaches).

We're Not Quite Sure

Credit: Plus Bank

Allthisshitis
in Polish so we can't begin to understand the
story or be troubled with using Google translate, but apparently
a bank in Poland got popped and then pulled a 40 year old
mid-life crisis move and denied everything regardless of the
evidence against them. We almost have to tip our hat to anyone
that can live a lie of that magnitude. Kudos Plus Bank!

Peepin' on the Creepin'

Credit: AshleyMadison.com

As a group of people who have been cheating on their operating
system for years (Dino really loves Windows Vista), the Ashley
Madison hack hits close to home. The biggest plus side is that
we’ve heard that all buildings below 101st street in Manhattan
are being powered by divorce lawyers rubbing their hands
together. It will be interesting when the first party links the
OPM data with the Ashley Madison cheat list. Public Service
announcement, if you’re going to cheat on your spouse please go
old school and hook up with the pool boy.

ManageEngine
apparently is some IT software that someone finally
decided to audit and they won
vulnerability bingo.
RCE, SQL
injection, file downloads, information disclosures and just
about every other type of vulnerability known to man. We’re just
speculating but it appears that this software was designed as a
reading comprehension test for The Art of Security Software
Assessment. Unleash this Pokeball of vulnerabilities and collect
them all!

Aviator

Credit: WhiteHat Security

WhiteHat security released their own web browser called
‘Aviator’, which we can only assume was named after movie
starring Leonardo DeCaprio as Howard Hughes. Apparently, writing
a secure web browser is hard (editor’s note: let’s go shopping)
and it had quite a few
weaknesses
as pointed out by some no-names (Justin Who?) at Google. Secure
by default is always hard, even when adopting the Chromium code base.

Lifetime Achievement Award

Most hackers have the personality of a supermodel who does
discrete mathematics for fun. Like mathematicians, hackers get off
on solving very obscure and difficult to even explain
problems. Like models, hackers wear a lot of black, think they are
more famous than they are, and their career effectively ends at
age 30. Either way, upon entering one's third decade, it is time
to put down the disassembler and consider a relaxing job in
management.

This award is to honor the previous achievements of those who have
moved on to bigger and better things such as management or owning
(in the traditional sense) a coffee shop.

Ivan Arce

Behind every hacker crew is their spirit leader, and Ivan Arce
is Argentina's answer to this. Long time industry expert and
co-founder of Core Security, Ivan has fostered a generation of
hackers and security professionals. He has been an industry
driving force since the late 90's, and continues to usher in
the next generation of offense-oriented experts and
technology.

Gera Richarte

If Ivan is Argentina's hacker spirit leader, Gera is the truth
teller. Gera has been demonstrating fact from fiction in
exploit development circles since the late 90's, and continues
to lead the technical community.

Wu Shi

Shanghai-based researcher Wu Shi has been setting the bug
bounty payday standard since the concept was invented. His
work in browser exploitation, phone hacking, and vulnerability
research has lead to the Keen team winning at pwn2own for 3
consecutive years and he continues to share results at
conferences such as this one here, now.

Halvar Flake

His LinkedIn title reads "staff engineer" which is typical
underplayed Halvar. We can't even begin to list his
achievements and industry input here. Google him, and not just
because they bought him.

Rolf Rolles

Long time reverse engineer, anti-software
protection/deobfuscation expert, and Halvar protegee Rolf
Rolles has been cranking out research papers and leading
efforts in RE circles for over a decade. Rolf was the primary
engineer behind BinDiff and VxClass, the products that led to
Google's acquisition of Zynamics in 2011. Rolf is also the
creator and moderator of the Reverse Engineering Reddit and
has a track history of sharing his knowledge and results with
the community as an author and teacher.

Pwnie for Epic 0wnage

0wnage, measured in owws, can be delivered in mass quantities to a
single organization or distributed across the wider Internet
population. The Epic 0wnage award goes to the hackers responsible
for delivering the most damaging, widely publicized, or hilarious
0wnage. This award can also be awarded to the researcher
responsible for disclosing the vulnerability or exploit that
resulted in delivering the most owws across the Internet.

Kaspersky Lab

Credit: Duqu 2.0

If everyone else sees Chinese hackers everywhere, Kaspersky
Lab sees Duqu everywhere, even on their own network.
Kaspersky has attributed the attack and malware to "The
Letters Gang", so named for their predilection for using the
alphabet to form words.

Hacking Team

Credit: Maybe China

That's a spicy mal-a-ware! Hacker Daytime Television (also
known as Twitter) hasn't been this good in years.

U.S. Office of Personnel Management

Credit: Probably China

Anyone who thinks that the details of the personal lives of
millions of federal workers are even remotely interesting has
clearly never worked with any of them. So, it was probably
China, who will have to setup thousands of specialized "OPM
dens" to painstakingly read through all of them.

The World

Credit: Definitely China

After being blamed for being behind a cyberattack every time
that some elderly computer user can't print out an e-mail,
China now has to actually hack everything everywhere just in
order to live up to everyone's expectations of them. They are
the real victim here.

Samsung Swiftkey Keyboard Bugdoor

Credit: Samsung

This is a non-memory corrupting RCE. It required no user
interaction and was possible by any attacker in a position to
perform MITM attack. No authentication at all. Vulnerable
devices include basically every Samsung device made from the
past ~2.5 years, including current flagships. This was
discovered in 2014, but gave the vendor lots of time to fix it
due to the high number of affected users and severity. It was
discovered and publicly disclosed by Ryan Welton at BlackHat
London, 2015.

This nomination, however, goes to Samsung for backdooring
their entire user population with a remotely
exploitable, highly privileged, logic vulnerability that
yields remote code execution. Bra-VO!